module.exports = (_options, _app) => {
    return async function (ctx, next) {
        if (ctx.isAuthenticated()) {
            let user = ctx.user;
            let url = ctx.url;
            //permissions就上引用户能访问的所有的路径
            let permissions = await ctx.app.mysql.query(`SELECT permission.KEY FROM role_user INNER JOIN role_permission ON role_user.role_id=role_permission.role_id  INNER JOIN permission ON role_permission.permission_id=permission.id WHERE role_user.user_id=?`, [user.id]);
            //此用户有权限的路径里是否有当前路径
            let allowed = permissions.map(item => item.key).includes(url);
            if (allowed) {
                await next();
            } else {
                ctx.status = 403;
                ctx.body = { success: false, error: '无权限' };
            }
        } else {
            ctx.status = 403;
            ctx.body = { success: false, error: '无权限' };
        }
    }
}